Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Google redirect virus... I think?


  • Please log in to reply
7 replies to this topic

#1 Vanessa Marilyn

Vanessa Marilyn

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 01 July 2009 - 03:55 PM

I've been searching for a thread that could allow me to fix this myself, but I'm a laymen and I don't want to ruin my computer by mistake.

I have a Dell Inspiron 6000 that runs Windows XP and I use an older version of IE. I ran Malwarebytes and my Norton scan and neither came up with a virus, but I keep getting redirected to an ad site (overclick?) about 60% of the time I click a link in Google. Nothing else really seems to be affected, but my laptop is pretty slow.

I'm terrified of trashing my computer, so I need someone to walk me through how to detect and remove the virus/problem. Thanks so much to anyone who's willing!

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:21 PM

Posted 01 July 2009 - 04:28 PM

Hi and welcome to BC :thumbsup:

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

NOTE: If Rootrepeal fails to run, click Settings - Options. Slide the Disk Access control to High.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Vanessa Marilyn

Vanessa Marilyn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 01 July 2009 - 09:20 PM

Thanks for the reply, but I've tried to run Rootrepeal four times and each time it crashes my computer! Is there something else I can use?

#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:21 PM

Posted 02 July 2009 - 12:19 PM

Let's try GMER

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 Vanessa Marilyn

Vanessa Marilyn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 02 July 2009 - 08:37 PM

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-02 21:34:05
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 860844F0 ZwEnumerateKey
Code 8609A170 ZwFlushInstructionCache
Code 86084526 IofCallDriver
Code 863FE346 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EDFEA 5 Bytes JMP 8608452B
.text ntkrnlpa.exe!IofCompleteRequest 804EE07A 5 Bytes JMP 863FE34B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805AABBE 5 Bytes JMP 8609A174
PAGE ntkrnlpa.exe!ZwEnumerateKey 806196C6 5 Bytes JMP 860844F4
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE[580] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00DA000A
.text C:\WINDOWS\system32\wuauclt.exe[620] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 003F000A
.text C:\WINDOWS\system32\winlogon.exe[664] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0062000A
.text C:\WINDOWS\system32\services.exe[712] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 003A000A
.text C:\Program Files\Viewpoint\Common\ViewpointService.exe[788] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0093000A
.text ...
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2820] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 00A99A00 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2820] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 00A99A38 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2820] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 00A99994 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2820] USER32.dll!AdjustWindowRectEx 7E420272 5 Bytes JMP 00A99E11 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2820] USER32.dll!GetScrollInfo 7E420DA2 7 Bytes JMP 00A99943 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2820] USER32.dll!ShowScrollBar 7E42F2B3 5 Bytes JMP 00A999E5 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2820] USER32.dll!GetScrollPos 7E42F6C4 5 Bytes JMP 00A9995E C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2820] USER32.dll!SetScrollPos 7E42F710 5 Bytes JMP 00A999AF C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2820] USER32.dll!GetScrollRange 7E42F747 5 Bytes JMP 00A99979 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2820] USER32.dll!SetScrollRange 7E42F95B 5 Bytes JMP 00A999CA C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2820] USER32.dll!AdjustWindowRect 7E431100 5 Bytes JMP 00A99D36 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\Program Files\Common Files\Symantec Shared\ccApp.exe[2820] USER32.dll!EnableScrollBar 7E467DDD 7 Bytes JMP 00A99928 C:\Program Files\Common Files\Symantec Shared\SymTheme\1.0\SymTheme.dll (Symantec Theme/Symantec Corporation)
.text C:\WINDOWS\system32\wuauclt.exe[2920] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 003F000A
.text C:\WINDOWS\system32\ctfmon.exe[3008] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 088E000A
.text C:\Program Files\Apoint\Apntex.exe[3408] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0891000A
.text C:\Program Files\Digital Line Detect\DLG.exe[3420] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A1000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 40A51777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 40A516F8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 40A5173C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 40A51684 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 40A516BE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 40A517B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Documents and Settings\pierre\Desktop\ew28hd6v.exe[6132] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 009C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[6384] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 408BF341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6384] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 40A51777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6384] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 40A516F8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6384] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 40A5173C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6384] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 40A51684 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6384] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 40A516BE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6384] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 40A517B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[6384] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 408E16B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe[12964] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00A4000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A2859C8A

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\SKYNETkxjmryda.sys (*** hidden *** ) [SYSTEM] SKYNETwjqellqm <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm@imagepath \systemroot\system32\drivers\SKYNETkxjmryda.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\main@cmddelay 7200
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\main\connections
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETkxjmryda.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\modules@SKYNETcmd.dll \systemroot\system32\SKYNETquhhctrj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\modules@SKYNETlog.dat \systemroot\system32\SKYNETohvwpxkf.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\modules@SKYNETwsp.dll \systemroot\system32\SKYNETiraiqyhg.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\SKYNETwjqellqm\modules@SKYNET.dat \systemroot\system32\SKYNETqcuutoyo.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm@imagepath \systemroot\system32\drivers\SKYNETkxjmryda.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\main
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\main@aid 10096
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\main@cmddelay 7200
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\main\connections
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\main\delete
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\main\injector
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\main\tasks
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\modules
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETkxjmryda.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\modules@SKYNETcmd.dll \systemroot\system32\SKYNETquhhctrj.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\modules@SKYNETlog.dat \systemroot\system32\SKYNETohvwpxkf.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\modules@SKYNETwsp.dll \systemroot\system32\SKYNETiraiqyhg.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETwjqellqm\modules@SKYNET.dat \systemroot\system32\SKYNETqcuutoyo.dat

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\pierre\Local Settings\Temp\~DF776.tmp 0 bytes
File C:\Documents and Settings\pierre\Local Settings\Temp\~DF77B.tmp 0 bytes
File C:\WINDOWS\system32\drivers\SKYNETkxjmryda.sys 68608 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\SKYNETiraiqyhg.dll 20992 bytes executable
File C:\WINDOWS\system32\SKYNETohvwpxkf.dat 132629 bytes
File C:\WINDOWS\system32\SKYNETqcuutoyo.dat 93 bytes
File C:\WINDOWS\system32\SKYNETquhhctrj.dll 43520 bytes executable
File C:\WINDOWS\Temp\SKYNETpbrkycyctf.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETpculcwwxea.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETpesjkwoqce.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETpuvlybohcs.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETqiwwqqjwxb.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETqoaivmbutn.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETqqhnoehqkk.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETqswjkesdxr.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETrndyudpugi.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETsdjuiqmqjf.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETsqmvddlxhb.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETstnafjeuin.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETtaoohfnila.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETtfpnoxmgfd.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETtqjlibifmj.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETtuubwywsrj.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETufhxjkijwi.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETgfcxveutxs.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNEToxijmucmis.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETujcqhmhiee.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETaequjxswrp.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETappnpngwkm.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETaxibcrpprx.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETbgdbgllaqp.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETcciingmhls.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETccxluprklg.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETcekqssrquq.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETctcogllbxk.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETewgxttkikr.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETfqguiweops.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETfybgwcdxlj.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETgwhkmuiqnh.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETgxikhymqda.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNEThdewffxssx.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNEThxllrrtild.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETjbkgosemph.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETjpwmxwkclu.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETksqlfxihlw.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETljxhhqaejn.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETmokdxepmqo.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETmsctcxhtxo.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETnfmporxpjx.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETngaumvkplq.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNEToidbtjcipl.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNEToqypuihbvr.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETouuoxxcnuv.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETvtfrkcwaao.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETwaksgkarst.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETwirrxgwttu.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETwqefmhomix.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETypjwwnlftu.tmp 18944 bytes executable
File C:\WINDOWS\Temp\SKYNETytcvsacaoe.tmp 18944 bytes executable

---- EOF - GMER 1.0.15 ----

#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:21 PM

Posted 02 July 2009 - 08:44 PM

Welcome back Vanessa Marilyn,
I have some bad news - you have a rootkit. This is one of the newer variants of TDSS.

Service C:\WINDOWS\system32\drivers\SKYNETkxjmryda.sys (*** hidden *** ) [SYSTEM] SKYNETwjqellqm <-- ROOTKIT !!!


A word of caution is warranted here:

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 Vanessa Marilyn

Vanessa Marilyn
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 03 July 2009 - 04:03 AM

Well that's the worst news I've gotten in a while.

Before I ran the GMER program, I backed up all of my (9000, I'm a photographer) photos and 14GB of music. Along with my favorites list and all my notebook documents. They're currently sitting on an external harddrive I share with my boyfriend. Should I consider those files tainted now? What can I do if they are?

I need a bit of time to decide what to do. I would be heartbroken to have to reformat seemingly my whole existance! I'll change everything ASAP on the second PC in the house and get back to you very shortly. Thank you so much for helping me!

#8 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:21 PM

Posted 03 July 2009 - 11:04 AM

This infection doesn't usually attack personal photos or documents. They should (??) be safe, but with rootkits you never know for sure. These programs also bring other malware with them so sometimes you deal with a virus cocktail of sorts. Let's do this... Post to the HJT forums and let one of the team use advanced tools to clean your computer. Advise them about your photos. They will give you your best chance of a cleaning.

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know. Best wishes - you are in good hands...

As an aside... I know how you feel. About 4 years ago, I lost some of my work in a folder I though was secure. The problem was, when I reformated, I forgot about the folder. I lost everything and felt sick for a week. I learned my lesson on backups.

Take care and good luck :thumbsup:

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users